Legal

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of, and is subject to, the agreement between Sysflows Corporation ("Sysflows," "Processor") and the customer identified in that agreement ("Customer," "Controller") for the provision of Sysflows' software-as-a-service platform (the "Services") (the "Agreement"). In the event of a conflict between this DPA and the Agreement on the subject of data protection, this DPA controls.

1. Definitions

Terms such as "personal data," "processing," "data subject," "controller," "processor," "sub-processor," and "supervisory authority" have the meanings given in applicable Data Protection Laws.

"Data Protection Laws" means all laws and regulations applicable to the processing of personal data under the Agreement, including, as applicable, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, and U.S. state privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and similar comprehensive state laws, and the Australian Privacy Act 1988 (Cth) (including the Australian Privacy Principles).

"Customer Personal Data" means personal data contained within Customer Content that Sysflows processes on Customer's behalf in providing the Services.

"Customer Content" means the data Customer and its users submit to or generate within the Services, such as tickets, messages, attachments, and configuration data.

2. Roles and Scope

2.1 As between the parties, Customer is the Controller (or a processor acting on behalf of its own controllers) and Sysflows is the Processor with respect to Customer Personal Data.

2.2 Where Sysflows acts as a "service provider" under the CCPA/CPRA, Sysflows is prohibited from (a) selling or sharing Customer Personal Data; (b) retaining, using, or disclosing it for any purpose other than performing the Services, or outside the direct business relationship, except as permitted by law; and (c) combining it with personal data from other sources except as permitted by the CCPA/CPRA. Sysflows certifies that it understands and will comply with these restrictions.

2.3 The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are described in Annex I.

3. Processor Obligations

3.1 Instructions. Sysflows will process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do otherwise by applicable law (in which case Sysflows will, where legally permitted, inform Customer of that requirement). The Agreement and this DPA constitute Customer's complete and final instructions. Sysflows will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

3.2 Confidentiality. Sysflows will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.

3.3 No model training. Sysflows will not use Customer Personal Data or Customer Content to train its own or any third party's general-purpose or foundational artificial-intelligence or machine-learning models. AI features within the Services process Customer Content solely to provide the Services to Customer.

3.4 No sale or sharing. Sysflows will not sell or share Customer Personal Data and will not use it for cross-context behavioral advertising or targeted advertising.

4. Security

4.1 Sysflows will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures are described in Annex II and include, at a minimum, encryption of Customer Personal Data at rest and in transit.

4.2 Sysflows maintains an information security program designed to be aligned with the ISO/IEC 27001 framework. Sysflows is not currently certified to ISO/IEC 27001 or SOC 2 and does not hold a third-party audit report; it does not represent that the Services are certified to any standard unless it expressly states so in writing and can evidence the certification.

5. Sub-processors

5.1 Customer provides general authorization for Sysflows to engage sub-processors to process Customer Personal Data, subject to this Section.

5.2 Sysflows will impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable to Customer for the performance of each sub-processor's obligations.

5.3 A current list of sub-processors is set out in Annex III to this DPA. Sub-processors that process Customer Content currently include:

Sub-processorPurposeLocation
DigitalOcean, LLC Cloud hosting and infrastructure on which the Services (including Customer Content) run United States (US tenants and the global authentication catalog); Germany, Frankfurt (EU/EEA and UK tenants)
Anthropic, PBC AI/LLM processing for in-product AI features. Under Anthropic's Commercial Terms (Claude API), Anthropic acts as a processor, does not train on inputs/outputs, and its DPA (with EU SCCs, UK IDTA, and Swiss addendum) is incorporated automatically. United States

Note: Other vendors we use, including Stripe (billing and payments), MailChimp (our own marketing communications), and SalesMate (our own sales/CRM), process personal data for which Sysflows is the controller (such as billing contacts and prospect/marketing data), not Customer Content processed on Customer's behalf. They are therefore disclosed in our privacy policy rather than listed here as sub-processors.

5.4 Sysflows will notify Customer at least 30 days before adding or replacing a sub-processor via a subscribable feed at https://sysflows.com/subprocessor. Customer may object on reasonable data-protection grounds within 10 days; the parties will work in good faith to resolve the objection, and if they cannot, Customer may terminate the affected Services as set out in the Agreement.

6. Assistance to Controller

6.1 Data subject requests. Taking into account the nature of the processing, Sysflows will provide reasonable assistance (including through appropriate technical and organizational measures and self-service features of the Services) to enable Customer to respond to requests from data subjects to exercise their rights under Data Protection Laws. If Sysflows receives such a request directly, it will, where legally permitted, direct the data subject to Customer.

6.2 DPIAs and consultation. Sysflows will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, taking into account the information available to Sysflows.

7. Personal Data Breach

7.1 Sysflows will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data.

7.2 The notification will describe, to the extent known and available, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. Sysflows will provide reasonable cooperation and information to assist Customer in meeting its own breach-notification obligations.

8. Return and Deletion

Upon termination or expiry of the Services, Sysflows will, at Customer's election, return and/or delete Customer Personal Data within 90 days, except to the extent retention is required by applicable law, in which case Sysflows will continue to protect it and limit further processing. During the 30 days following termination or expiry, Customer may export Customer Personal Data through the Services' self-service export features, consistent with the Agreement; residual copies in routine backups are overwritten in the ordinary course.

9. International Transfers

9.1 Hosting and data residency. Sysflows hosts Customer Content on a regionalised basis. Customer may select either (a) a United States region, or (b) an EU/EEA region hosted in Frankfurt, Germany. UK customers are hosted in the EU/EEA (Frankfurt) region; there is no separate UK hosting region. Regardless of the region selected, a limited global authentication catalog containing Authorised User login identifiers (such as email addresses) is hosted in the United States for all customers, solely to enable sign-in and account routing; it contains no ticket or other Customer Content.

9.2 Transfers to the United States. For Customer Content hosted in the EU/EEA (Frankfurt) region (including UK customers), the following limited transfers to the United States occur: (a) Authorised User login identifiers held in the global authentication catalog; (b) Customer Content processed by AI Features, which is sent to Anthropic, PBC (see Section 5.3); and (c) access by Sysflows personnel and authorised sub-processors as needed to support, secure, and operate the Services.

9.3 Transfer mechanism. Where Customer Personal Data originating in the EEA, the UK, or Switzerland is transferred to the United States or any other country without an adequacy decision, the parties incorporate by reference the applicable European Commission Standard Contractual Clauses (the "EU SCCs") and, as applicable, the UK International Data Transfer Addendum (the "UK IDTA") and the Swiss addendum, each as completed in Annex IV. Transfers of UK-origin Customer Content from the UK to the EU/EEA (Frankfurt) region rely on the UK's adequacy regulations for the EEA; the UK IDTA applies to the onward transfer of UK-origin personal data from the EU/EEA region to the United States (notably the authentication catalog and AI processing).

10. Audits

Sysflows will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Sysflows will primarily satisfy this obligation by providing its then-current security documentation, reasonable responses to a security questionnaire (no more than once in any 12-month period), and any third-party audit reports or certifications it holds.

Where Data Protection Laws require Customer to carry out or mandate an audit or inspection that the foregoing cannot reasonably satisfy, Sysflows will allow for and contribute to such an audit, subject to the following: (a) no more than once in any 12-month period, except where additionally required by a supervisory authority or following a personal data breach affecting Customer Personal Data; (b) at least 30 days' prior written notice; (c) conducted during business hours, under confidentiality, and in a manner that does not unreasonably interfere with Sysflows' operations; (d) limited in scope to Sysflows' processing of Customer Personal Data, and excluding access to other customers' data, to multi-tenant infrastructure where access would compromise security or confidentiality, and to information subject to legal privilege or third-party confidentiality; and (e) at Customer's expense, unless the audit reveals material non-compliance by Sysflows, in which case Sysflows will bear the reasonable costs of that audit.

11. Liability and Miscellaneous

11.1 Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

11.2 This DPA is governed by the governing law of the Agreement, except where Data Protection Laws require otherwise. The governing law of the Agreement is the law of the State of Delaware, United States, and this DPA is governed accordingly, subject to the mandatory provisions of applicable Data Protection Laws (including the governing law specified for the EU SCCs and the UK/Swiss transfer mechanisms in Annex IV).


Annex I: Details of Processing

  • Subject matter: Provision of the Services to Customer.
  • Duration: The term of the Agreement, plus any retention period in Section 8.
  • Nature and purpose: Hosting, processing, and support of a cloud-based help-desk and service-operations platform (ticketing, cases, forms and lists, knowledge base, customer portal, reporting, and workflow automation), including AI-assisted features such as triage, summarisation, draft replies, classification, embeddings/semantic search, and autonomous AI agents.
  • Types of personal data: Names and business contact details; account identifiers and Authorised User login identifiers (such as email addresses); and any personal data contained within tickets, messages, comments, attachments, contact and organisation records, case records, list and form data, and configuration data submitted by Customer's Authorised Users and End Users.
  • Categories of data subjects: Customer's employees, Authorised Users (agents), and the End Users (customers, clients, and contacts) who interact with Customer through the Services.
  • Special categories of data: Not intended. The Services are not designed for, and Customer agrees not to submit, special-category or sensitive personal data except where expressly agreed in writing. Any such data that Customer nonetheless submits within Customer Content is processed on Customer's instructions and at Customer's responsibility.

Annex II: Technical and Organizational Measures

Sysflows maintains an information security program designed to be aligned with the ISO/IEC 27001 framework, including the following measures:

  • Encryption of Customer Personal Data at rest and in transit.
  • Identity and authentication directory: a limited set of Authorised User login identifiers (such as email addresses) is held in a shared, central authentication directory, separate from the per-tenant stores in which Customer Content resides, solely to provide sign-in and account routing. This directory is hosted in the United States.
  • Access control and least-privilege access management.
  • Network security controls.
  • Logging and monitoring.
  • Vulnerability management and patching.
  • Secure software development practices.
  • Data backup and disaster recovery.
  • Personnel security, confidentiality obligations, and training.
  • Physical security of facilities (provided by DigitalOcean; see Section 5.3).
  • Vendor / sub-processor management.
  • Incident detection and response.

Annex III: Sub-processors

The following sub-processors process Customer Content:

Sub-processorPurposeLocation
DigitalOcean, LLC Cloud hosting and infrastructure on which the Services (including Customer Content) run United States (US tenants and the global authentication catalog); Germany, Frankfurt (EU/EEA and UK tenants)
Anthropic, PBC AI/LLM processing for in-product AI features; Anthropic acts as a processor and does not train on inputs or outputs United States

Annex IV: Transfer Mechanism / Standard Contractual Clauses

This Annex completes the transfer mechanism referenced in Section 9. Counsel to confirm version references and the docking-clause election, and to attach or execute the operative clause text.

1. EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), incorporated by reference and completed as follows:

  • Module(s): Module Two (Controller to Processor) applies where Customer is a controller; Module Three (Processor to Processor) applies where Customer acts as a processor for its own controller(s). The module matching the Customer's role applies to each transfer.
  • Clause 7 (Docking clause): Does not apply.
  • Clause 9 (Sub-processors): Option 2 (general written authorisation); minimum notice period 30 days, consistent with Section 5.4.
  • Clause 11 (Optional independent dispute resolution): does not apply.
  • Clause 17 (Governing law): the law of Ireland.
  • Clause 18 (Forum and jurisdiction): the courts of Ireland.
  • Annex I.A (List of Parties): Data exporter: Customer, as identified in the Agreement. Data importer: Sysflows Corporation, 8 The Green #19288, Dover, DE 19901, United States; privacy@sysflows.com.
  • Annex I.B (Description of transfer): categories of data subjects and personal data, nature, purpose, and duration as set out in Annex I of this DPA; frequency of transfer: continuous.
  • Annex I.C (Competent supervisory authority): the Irish Data Protection Commission, consistent with Sysflows' Article 27 EU representative.
  • Annex II (Technical and organisational measures): as set out in Annex II of this DPA.
  • Annex III (Sub-processors): as set out in Section 5.3 / Annex III of this DPA.

2. UK International Data Transfer Addendum (version B1.0), for transfers of UK-origin personal data to a country without UK adequacy (including the United States), the UK IDTA is incorporated and completed using the EU SCCs above as its Approved Addendum, with Table 1 (Parties) and Table 3 (Appendix Information) as per the EU SCC annexes above, the start date being the effective date of the Agreement, and the importer/exporter termination rights in Table 4 limited as stated in the IDTA. Transfers of UK-origin Customer Content from the UK to the EU/EEA (Frankfurt) region rely on the UK's adequacy regulations for the EEA and do not require the IDTA.

3. Swiss Addendum, for personal data subject to the Swiss FADP, the EU SCCs apply with these amendments: the competent authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC) for data governed by the FADP; references to the GDPR are read as references to the FADP where applicable; and the Clauses also protect data subjects in Switzerland, who may bring claims in their place of habitual residence.